Skip Navigation
Illinois Attorney General Lisa Madigan
Home | Careers | Press Room | Opinions | Español | Other Languages | Contact Us
 

May 23, 2017

ATTORNEY GENERAL MADIGAN ANNOUNCES $18.5 MILLION SETTLEMENT WITH TARGET OVER DATA BREACH

Agreement Establishes Industry Standards for Collecting and Protecting Consumer Data

Chicago — Attorney General Lisa Madigan today announced that Illinois led 47 states and the District of Columbia in reaching an $18.5 million settlement with the Target Corporation to resolve the states' investigation into the company's 2013 data breach. The settlement represents the largest multistate data breach settlement achieved to date and sets industry standards for better protecting consumers’ information from data breaches in the future.

The states' investigation, led by Madigan and Connecticut Attorney General George Jepsen, found that cyber attackers accessed Target's gateway server through credentials stolen from a third-party HVAC vendor on or about November 12, 2013. The credentials were used to exploit weaknesses in Target's system, allowing the attackers to access a customer service database, install malware on the system and to capture customer data, including full names, telephone numbers, email addresses, mailing addresses, payment card numbers, expiration dates, credit card verification codes and encrypted debit PINs.

The breach affected more than 41 million customer payment card accounts and contact information for more than 60 million customers.

“Today’s settlement with Target establishes industry standards for companies that process payment cards and maintain secure information about their customers,” Madigan said. “People must remain vigilant about activity on their credit and debit cards as it's not a matter of if but when you are going to be a victim of identity theft or a security breach.”

The new industry standards require Target to:

  • Develop, implement and maintain a comprehensive information security program;
  • Employ an executive or officer who is responsible for executing the plan;
  • Hire an independent, qualified third-party to conduct a comprehensive security assessment:
  • Maintain and support software on its network for data security purposes;
  • Maintain appropriate encryption policies, particularly as they pertain to cardholder and personal information data;
  • Segment its cardholder data environment from the rest of its computer network; and
  • Undertake steps to control access to its network, including implementing password rotation policies and two-factor authentication.

Illinois will receive more than $1.2 million from the settlement.

Joining Madigan and the Connecticut Attorney General’s office in participating in the settlement are attorneys general from: Alaska, Arizona, Arkansas, California, Colorado, Delaware, Florida, Georgia, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, Washington and West Virginia and the District of Columbia.

A copy of the settlement document can be found here.

Consumer Protection Division Chief Deborah Hagan, Springfield Bureau Chief Elizabeth Blackston, Assistant Attorney General Matthew Van Hise and Assistant Attorney General Yangsu Kim handled the settlement for Madigan’s Consumer Protection Bureau.

-30-

Return to May 2017 Press Releases

go to top of page

© 2010 Illinois Attorney General HomePrivacy Policy Contact Us